Conventionally, a network management policy manages and executes security policies by applying an intrusion detection and response concept to a network environment more effectively and integratively.
Conventional protocols for a policy-based intrusion detection and response system are classified into a common open policy service (COPS) protocol for transmitting policy information and an intrusion alert protocol/intrusion detection exchange protocol (IAP/IDXP) for transmitting alert information. In this case, it is required to install the IAP/IDXP additionally at a policy-based system having the COPS protocol in order to transmit alert information appropriately.
FIG. 1 shows a block diagram for illustrating a conventional alert transmission apparatus for a policy-based intrusion detection and response including a central policy server (CPS) 10 and an intrusion detection and response system (IDRS) 20.
Security policy information (hereinafter, policy information) generated at a policy management tool 11 in the CPS 10 is stored at a policy repository (PR) 12 and provided to a COPS server 13 at the same time.
The COPS server 13 provides the policy information to a COPS client 21 in the IDRS 20 through a COPS protocol S1, and then, the COPS client 21 sends the policy information to an intrusion response module 23 and an intrusion detection module 25 to thereby execute the policy information.
If an intrusion occurs by a hacker while the policy information provided from the COPS client 21 is being executed, the intrusion detection module 25 detects the intrusion and generates a raw alert transmission message. Then, the raw alert transmission message is provided to an IDMEF-XML (intrusion detection message exchange format extensible markup language) message building module 27 and the intrusion response module 23. When the raw alert transmission message is transmitted from the intrusion detection module 25 to the intrusion response module 23, the intrusion response module 23 copes with the intrusion.
The IDMEF-XML message building module 27 transforms the raw alert transmission message into an IDMEF-XML-type alert transmission message and provides the IDMEF-XML-type alert transmission message to an IAP/IDXP analyzer 29.
The IAP/IDXP analyzer 29 provides the IDMEF-XML-type alert transmission message to an IAP/IDXP manager 14 in the CPS 10 through an IAP/IDXP protocol S2.
The IAP/IDXP manager 14 sends the IDMEF-XML-type alert transmission message to an IDMEF-XML message parsing and translation module 15. The IDMEF-XML message parsing and translation module 15 parses and translates the IDMEF-XML-type alert transmission message, so that the message is stored at an alert database (DB) 16 or provided to an alert viewer 17.
In order to transmit alert information between the CPS 10 and the IDRS 20, both the COPS protocol S1 for transmitting the policy information and the IAP/IDXP S2 for transmitting the IDMEF-XML-type alert transmission message are required. As a result, a complexity of structures between the CPS 10 and the IDRS 20 is increased. Further, when a plurality of clients (e.g., a plurality of IDRSs 20) are connected to a single server (e.g., the CPS 10), there is a problem of managing both the alert information and the policy information inconsistently.
Alert transmission technologies for the policy-based intrusion detection and response are described in “Method for Transmitting Alert Information in Transmission System,” filed as a Korean application No. 10-1998-0060879 on Dec. 30, 1998, “Distributed Intrusion Detection and Reaction Architecture,” disclosed in Proceedings of WISA 2002 dated August 2002, and “A Design of Secure Network Framework using PBNM,” disclosed in Proceedings of APNOMS2002 dated September 2002.
According to the Korean application No. 1998-0060879, in a method for transmitting alert information, the alert information generated in the transmission system is sent to an operator of a central center such as a network management system. The method is performed by following steps. When the alert information is received, a timer is set. The received alert information is continuously stored in a buffer. When a timeout signal is received from the timer, the alert information stored in the buffer is read and transformed into an alert packet. Then, the buffer is checked whether it is full of the alert information. If the buffer is full of the alert information, the alert information is transformed into the alert packet.
Thereafter, it is checked whether a channel connected to the central center has been set in the transmission system. If the channel has not been set, the channel should be set. On the other hand, if the channel has been set, the alert packet is outputted to the central center. When the alert packet is entirely transferred, the channel is released.
In this prior art, the alert information generated in the transmission system during a fixed time is grouped into one packet and then sent to the central center, thereby reducing an increase of traffic due to the transmission of the alert information.
Next, according to “Distributed Intrusion Detection and Reaction Architecture”, a distributed intrusion detection and response system includes a central analyze center functioning as a policy decision point (PDP) like the policy-based intrusion detection and response system, a distributed analyze center for processing the functions of the central analyze center distributively, a sensor acting as a policy enforcement point (PEP) and security policy enforcement points.
Each of the central analyze center and the distributed analyze center has a central security policy server, a central monitor station, a central analyzer center and a central data warehouse acting as a policy repository.
Herein, as protocols convey information between the PDP and the PEP, an intrusion detection exchange protocol (IDXP) is used for transmitting alert information and a common open policy service (COPS) protocol is used for transmitting policy information, wherein the IDXP is defined as a profile of a blocks extensible exchange protocol (BEEP) corresponding to a general application protocol framework. Both the protocols transmit information by using security characteristics provided by a transport layer security (TLS) profile and a SASL profile suggested by the BEEP. Therefore, the policy information and the alert information can be more safely transmitted.
The prior art describes that the COPS protocol for transmitting the policy information may be applied on the BEEP in two ways. First, the COPS protocol can be directly used on the BEEP without a modification. Second, the COPS protocol is transformed into an XML-type protocol corresponding to a profile of the BEEP and then used. In this case, the alert information has an IDMEF-XML type being standardized in IDWG of Internet engineering task force (IETF).
Next, according to “A Design of Secure Network Framework using PBNM”, a cyber patrol control system (CPCS) acting as a central policy server in a wide area network performs a security management and a security gateway system (SGS) includes an intrusion detection system (IDS) for intrusion detection and response.
The CPCS includes a COPS server for transmitting policy information, an IAP server for transmitting alert information, an alert manager for managing the alert information provided from several SGSs, a high-level analyzer for performing a synthetic analysis such as an alert correlation and the like, in a high level, a policy management tool for generating and editing the policy information, a policy decision point for distributing the generated policy information and a web server for providing a user interface.
Meanwhile, the SGS includes a COPS client for transmitting the policy information, an intrusion alert protocol (IAP) client for transmitting the alert information, a CP-agent acting as a local manager in the SGS, a DBM for storing and managing both the policy information and the alert information and a sensor/analyzer for detecting an intrusion.
In this prior art, protocols for conveying information between the CPCS (PDP) and the SGS (PEP) include a COPS protocol and an IAP protocol. The COPS protocol suggested by PBNM is used for transmitting the policy information and the IAP protocol suggested by IDWG of IETF is used for transmitting the alert information. Both the protocols have a client and a server, wherein the server and the client are located in the CPCS and the SGS, respectively.
The alert information transmitted between the CPCS and the SGS has the IDMEF-XML-type being standardized in IDWG of IETF. The IDMEF-XML-type alert information is transmitted through a payload of an IAP protocol message.
The above-mentioned prior arts still have problems. In other words, as shown in FIG. 1, both the COPS protocol S1 for transmitting the policy information and the IAP/IDXP S2 for transmitting the alert information between the CPS 10 and the IDRS 20 are used to convey the alert information, thereby increasing a complexity of structures between the CPS 10 and the IDRS 20. Further, in case where a plurality of clients are connected to a single server, an inconsistent management on information can be one of the problems.